Exploring the usability and effectiveness of interactive annotation and code review for the detection of security vulnerabilities

According to a recent IBM study, the average cost for a stolen record raised 9% to $145 in 2014. Since millions of credit card records are stolen every year, the cost can easily run into billions of dollars. Consequently, application security is a very important concern during the development of applications today. Resolving security problems later in the development process is very time consuming and expensive. Therefore, it is favorable to detect and resolve security vulnerabilities as soon as possible during the development process. By using a technique called static analysis, it is possible to partially overcome this problem. Static analysis tools examine source code statically (when not running), and attempt to detect security vulnerabilities. Unfortunately, however, static analysis tools generate very large amounts of false positives. In order for static analysis tools to be effective, extraordinarily complex custom rules must be written for the tool. This must be done by a security expert for every application the tool runs on. To make matters worse, communicating information about complex vulnerabilities to application developers presents a unique challenge in and of itself. If the developer does not understand why a certain line is flagged as potentially vulnerable and is not provided with detailed information, it will be far more difficult for him or her to resolve the problem. Consequently, static analysis tools are seldom used.